1. Field
One or more aspects of embodiments according to the present invention relate to data security, and more particularly to a method for determining whether an application is configured to exfiltrate personal information from a device on which it runs.
2. Description of Related Art
Various computation devices in current use may each run a variety of applications, or “apps”, each of which may exchange data with other devices such as servers, over one or more networks such as the Internet. The data exchanged by such applications with other devices may include personal information, e.g., information that may be confidential to some degree. Personal information may include, for example, a telephone number associated with a device (e.g., with a mobile phone) or the email address of a user. Some such information may be moderately confidential and some may be highly confidential, according, for example, to the degree of harm that may result if the information is misused. All such information is referred to herein as “personal” information.
An exchange of personal information may occur with a user's knowledge and consent, for example if a user is using an application to send her phone number to another user. In other cases it may occur without the user's knowledge and/or against the user's wishes, as, for example, if it results in undesired and burdensome unsolicited phone calls after an application sends a user's phone number to a telemarketing company. Such sending of personal data, without a user's express instructions or consent to do so, is referred herein as exfiltration.
As such, there are commercial uses for, and there is a need for, a method for identifying applications that exfiltrate personal data, so that users may avoid their use or uninstall them.